DoorDash disclosed a **cybersecurity incident** on **November 13**, confirming a **data breach** caused by a **social engineering attack** targeting an employee on **October 25**. The unauthorized access exposed **personal information** of certain users, including **Dashers and merchants**, such as **names, email addresses, phone numbers, and physical addresses**. While DoorDash stated that **no sensitive data (payment details, government IDs, or Social Security numbers)** was compromised and no evidence of misuse (fraud/identity theft) was found, the breach sparked **public backlash** for downplaying the severity of exposed data (e.g., home addresses labeled as 'non-sensitive').The company **revoked access immediately**, notified affected users, and engaged law enforcement. To mitigate future risks, DoorDash is **reinforcing employee training** and **strengthening authentication protocols**. The incident coincides with **stock volatility** (down **21% this month**) and a separate **$18M legal settlement** with Chicago over deceptive business practices, adding to operational and reputational pressures.
Source: https://finance.yahoo.com/news/doordash-discloses-data-breach-18m-224652145.html
TPRM report: https://www.rankiteo.com/company/doordash-for-business
"id": "doo5632556111825",
"linkid": "doordash-for-business",
"type": "Breach",
"date": "10/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Certain Users (Dashers and '
'Merchants)',
'industry': 'Technology / E-Commerce',
'location': 'United States (HQ: San Francisco, CA)',
'name': 'DoorDash',
'size': 'Large (Publicly Traded, NYSE: DASH)',
'type': 'Food Delivery Platform'}],
'attack_vector': 'Social Engineering (Employee Targeted)',
'customer_advisories': 'Public Notice Issued (November 13, 2023)',
'data_breach': {'data_exfiltration': 'Likely (Unauthorized Access Confirmed)',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Phone Numbers',
'Physical Addresses'],
'sensitivity_of_data': 'Moderate (No Financial/Payment Data '
'or Government IDs)',
'type_of_data_compromised': ['Personal Information (PII)']},
'date_detected': '2023-10-25',
'date_publicly_disclosed': '2023-11-13',
'description': 'DoorDash disclosed a cybersecurity incident where an '
'unauthorized person accessed personal information of certain '
'users (including Dashers and merchants) through a social '
'engineering attack targeting an employee. The breach occurred '
'on October 25, 2023, and was publicly disclosed on November '
'13, 2023. Affected data included names, email addresses, '
'phone numbers, and physical addresses, but no sensitive '
'information like payment details, government IDs, or Social '
'Security numbers was exposed. DoorDash revoked the '
'unauthorized access, notified affected users, and is '
'cooperating with law enforcement. The company is reinforcing '
'employee training and authentication protocols to prevent '
'future incidents.',
'impact': {'brand_reputation_impact': 'Negative (Criticism for Data Handling, '
'Stock Volatility)',
'customer_complaints': 'Backlash on Reddit for Downplaying '
'Severity of Exposed Data (e.g., Names and '
"Home Addresses as 'Non-Sensitive')",
'data_compromised': ['Names',
'Email Addresses',
'Phone Numbers',
'Physical Addresses'],
'identity_theft_risk': 'No Indication of Misuse (as of Disclosure)',
'operational_impact': 'Minimal (Access Revoked Immediately)',
'payment_information_risk': 'None (Payment Information Not '
'Exposed)'},
'initial_access_broker': {'data_sold_on_dark_web': 'No Indication (as of '
'Disclosure)',
'entry_point': 'Employee (Social Engineering)',
'high_value_targets': ['User Data (Dashers and '
'Merchants)']},
'investigation_status': 'Ongoing (Law Enforcement Involved)',
'lessons_learned': 'Importance of robust authentication protocols and '
'employee training to mitigate social engineering risks. '
'Need for clearer communication about the sensitivity of '
'exposed data (e.g., physical addresses).',
'post_incident_analysis': {'corrective_actions': ['Reinforced employee '
'training on social '
'engineering risks.',
'Strengthened '
'authentication protocols '
'(details unspecified).'],
'root_causes': ['Inadequate authentication '
'safeguards for employee accounts.',
'Successful social engineering '
'exploit targeting an employee.']},
'recommendations': ['Implement multi-factor authentication (MFA) for employee '
'accounts with access to sensitive systems.',
'Conduct regular phishing/social engineering simulations '
'for employees.',
'Enhance transparency in breach disclosures to address '
'public concerns about data sensitivity.',
'Monitor dark web for potential misuse of exposed data.'],
'references': [{'date_accessed': '2023-11-13',
'source': 'DoorDash Notice to Users'},
{'date_accessed': '2023-11',
'source': 'Reddit User Discussions'},
{'date_accessed': '2023-11',
'source': 'Shutterstock (Stock Performance Image)',
'url': 'https://www.shutterstock.com'}],
'response': {'communication_strategy': 'Public Notice to Users (November 13, '
'2023)',
'containment_measures': ['Immediate Access Revocation'],
'incident_response_plan_activated': 'Yes (Access Revoked, Users '
'Notified)',
'law_enforcement_notified': 'Yes (Investigation Ongoing)',
'remediation_measures': ['Reinforced Employee Training',
'Strengthened Authentication '
'Protocols']},
'threat_actor': 'Unauthorized Individual (Unknown)',
'title': 'DoorDash Data Breach via Social Engineering Attack (October 2023)',
'type': ['Data Breach', 'Social Engineering Attack'],
'vulnerability_exploited': 'Human Error / Lack of Authentication Protocols'}